PandaLabs, Panda Security’s anti-malware laboratory, has detected a massive attack on hundreds of users in the United States and other countries in which hackers are using emails purporting to be from Netflix in order to steal user account passwords.

The phishing attack uses a fraudulent email with the subject “Notice – Document”, followed by a sequence of numbers such as “941-4259”. The email, which does a good job of impersonating an actual email sent by Netflix, asks victims to validate the login credentials they use to access the platform.

However, the link displayed does not takes users to the Netflix website, but to a fraudulent page.  The worst thing about this attack is not the fact that it may allow the attackers to use the stolen data to watch movies and TV shows for free, or sell the accounts to others so they can enjoy free audiovisual contents at your expense.


“The real threat lies in the fact that these criminals are selling the stolen passwords indiscriminately on the black market, which may lead to further, large-scale attacks, as many users use the same access credentials for different services and other hackers could use them to break into their email or social media accounts. There is no doubt that these attacks are masterminded by cyber-crime gangs going after people’s money,” explains Luis Corrons, Technical Director of PandaLabs.

Three easy ways to detect the Netflix phishing attack

First, take a look at the email subject. Since the email has been supposedly sent by the Marketing or Sales Department of a reputable company such as Netflix, you would expect its subject line to be a meaningful text related to its content.

That’s not the case here. If you receive an email from Netflix or any other service, free or paid, with a vague or unintelligible subject line, be wary and run an antivirus scan.

Second, the message is written in English. If you live in a non-English speaking country, this is highly suspicious unless you have set your Netflix Communication settings to receive all communications in English. Also, we recommend that you check the URL displayed on your Web browser’s address bar to make sure it doesn’t show a dubious domain name.

Finally, the second paragraph in the email reads as follows: “Failure to complete the validation process will result in a suspension of your Netflix membership.” This type of text aims at triggering a quick reaction from the victim, rushing them to update their access credentials.

However, that message is too aggressive to appear in a commercial communication, and it is highly unlikely that a reputable company such as Netflix cancels a user subscription because of a problem with their platform.